This privacy notice explains how I collect, store, and process your personal information in line with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

1. Lawful Basis for Processing

I process your personal data under the lawful basis of legitimate interests (Article 6(1)(f) UK GDPR), this means the information I hold is necessary for us to work together and is what you would reasonably expect me to collect and use.
I also process special category data (health information) under provision of health care (Article 9(2)(h) UK GDPR).

2. Information I Collect

If you enquire about therapy:

Any information you share via email, text, or other messages.
If you attend at least one session:

Basic contact details: name, email address, phone number, home address, and GP surgery.
Information you share as part of our work together.
Audio/video recordings of sessions (only if agreed).
Notes about interventions used or considered in our sessions.
Emails, texts, and messages exchanged between us.
Information from third parties (e.g., GP, insurance company, EAP) where applicable.

3. How I Use Your Information

Your data is used to:

Provide therapy to you.
Enable my work to be clinically assessed for professional standards.
I do not share your information unless:

You have given consent.
I am required to by law.
It is necessary to prevent serious harm to yourself or others.
Where sharing is required, I will usually discuss it with you first.

4. Where and How Your Data is Stored

Emails: stored in my email inbox, accessed only from my secure laptop or work mobile.
Texts: stored on my work phone, which is kept locked away outside of working hours.
Session notes: kept in a locked personal filing system.
Audio/video recordings: stored on an encrypted external drive, locked in a filing cabinet.
Digital security: 2-factor authentication is enabled for sensitive accounts.
If using online platforms (e.g., video conferencing, cloud storage), I ensure that any data transfers outside the UK/EU meet GDPR adequacy standards or have equivalent safeguards.

Online therapy sessions: When conducting sessions via online video platforms such as Google Meet, sessions are carried out in a private and secure environment. Sessions are not recorded without your explicit consent. Clients are encouraged to participate from a private, interruption-free space to maintain confidentiality. All data transmitted via these platforms is handled in accordance with GDPR standards.

5. How Long I Keep Your Data

I keep client records for 7 years after our work ends, as required by my insurance provider. After this time:

Paper records are shredded.
Digital records are permanently deleted.

6. Your Rights

Under UK GDPR, you have the right to:

Access: request a copy of all data I hold about you.
Rectification: ask me to correct inaccurate or incomplete data.
Erasure: request deletion of your data (unless I am required to keep it for legal/insurance reasons).
Restriction: ask me to limit how your data is used.
Portability: request that your data be transferred to another provider.
Object: to processing based on legitimate interests, direct marketing (which I do not do), or certain research purposes.
Requests will be actioned within 30 days wherever possible.

7. Data Breaches

If a data breach occurs, I will inform the Information Commissioner’s Office (ICO) and any affected individuals within 72 hours, along with details of steps taken to minimise risk.

8. Complaints

If you have concerns about how your data has been handled, please contact me in the first instance. You can also contact the ICO:

Information Commissioner’s Office – www.ico.org.uk / 0303 123 1113

This policy explains how I use social media as a health professional, the boundaries I maintain online, and how these protect both your privacy and the integrity of our therapeutic relationship.

It does not prevent you from sharing that you are in therapy if you wish. However, my duty of confidentiality means that I will never disclose you are my client without your explicit consent.

1. Friend Requests and Connections

I do not accept “friend” or connection requests from current or former clients on personal social media (Facebook, Instagram, Twitter/X, LinkedIn, etc.). This is to protect:

· Your confidentiality.

· Our professional boundaries.

You are welcome to raise any questions about this in session.

2. Following and Liking

You may follow or “like” any of my professional public social media pages, but:

· These interactions are visible to others.

· Your activity (likes, comments, shares) may appear on your own profile.

To maintain ethical boundaries, I will not follow you back or view your online activity without your consent and a clear therapeutic purpose. If there is online content you’d like to discuss, please bring it into our sessions.

3. Messaging

Please do not use social media direct messages, wall posts, or casual texts to contact me about therapy.

· These channels are not secure.

· Such exchanges could become part of your legal medical record. For appointment changes or therapy-related matters, please use email or phone.

4. Searching for Clients Online

I do not search for clients on Google, Facebook, or other platforms. An exception may be made only in a crisis where I believe you are at serious risk and cannot be contacted through normal means. In that case:

· Any search will be documented.

· We will discuss it at our next session.

5. Online Reviews

My business may appear on public review sites without my involvement.

· I do not request or respond to reviews from clients.

· If you leave a review, be aware that it may reveal personal information in a public forum.

If you have concerns about your therapy, I encourage you to discuss them with me directly. If you wish to raise a formal complaint, you can contact the NSTT here: https://thenationalsociety.net/complaints-procedure/

6. Location-Based Services (LBS)

If you use apps that share your location (e.g., check-ins, GPS-enabled social media), others could infer that you are a client if you regularly attend in-person sessions. Please consider disabling LBS if this is a concern.

7. Policy Updates

As technology evolves, this policy may change. Updates will be emailed to you directly.